8c760bec029ea6141d35b95025918456ae253d08ca62b197acbf224bd68acd25

Analysis

max time kernel
321s
max time network
321s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-11-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RunAsAdmin.exe
Size

8.3MB
MD5

8948a3a62718aa7906f6cc88feacfcde
SHA1

f0d30913f6d892604ae38a57e267e91853c687d3
SHA256

8c760bec029ea6141d35b95025918456ae253d08ca62b197acbf224bd68acd25
SHA512

dc67bc715d051395d46e9d806e2fe2378a44e24b148906e75326d3fff159ef78286a2199c1988c042245a308276855f595b812d1aa1f2ce755d11bf7f814c1dc
SSDEEP

196608:MaCN2Jv0hkNypk65cNYHeLgDsDokeAMRvSnOwFw/wcHwLFrMthx:M9NCv0hDlHeLgD8eAEpwFw/w6wLFEh

Score

6^/10

defense_evasion discovery evasion privilege_escalation trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

RunAsAdmin.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA RunAsAdmin.exe
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

RunAsAdmin.exe

pid process

3044 RunAsAdmin.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

RunAsAdmin.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language RunAsAdmin.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RunAsAdmin.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RunAsAdmin.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies registry class 20 IoCs

Processes:

RunAsAdmin.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	RunAsAdmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewID = "{82BA0782-5B7A-4569-B5D7-EC83085F08CC}"	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 9e0000001a00eebbfe23000010007db10d7bd29c934a973346cc89022e7c00002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020002a0000000000efbe7e47b3fbe4c93b4ba2bad3f5d3cd46f98207ba827a5b6945b5d7ec83085f08cc20002a0000000000efbe000000200000000000000000000000000000000000000000000000000100000020000000	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	RunAsAdmin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f4225481e03947bc34db131e946b44c8dd50000	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	RunAsAdmin.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_FolderType = "{FBB3477E-C9E4-4B3B-A2BA-D3F5D3CD46F9}"	RunAsAdmin.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\TV_TopViewVersion = "0"	RunAsAdmin.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	RunAsAdmin.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	RunAsAdmin.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

RunAsAdmin.exechrome.exe

pid process

3044 RunAsAdmin.exe
3044 RunAsAdmin.exe
1380 chrome.exe
1380 chrome.exe
1380 chrome.exe
1380 chrome.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

RunAsAdmin.exe

pid process

3044 RunAsAdmin.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

RunAsAdmin.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3044	RunAsAdmin.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe
Token: SeShutdownPrivilege	1380	chrome.exe

Suspicious use of FindShellTrayWindow 38 IoCs

Processes:

RunAsAdmin.exechrome.exe

pid	process
3044	RunAsAdmin.exe
3044	RunAsAdmin.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe
1380	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

RunAsAdmin.exe

pid process

3044 RunAsAdmin.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1380 wrote to memory of 2024	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 2024	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 2024	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 288	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 280	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 280	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 280	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe
PID 1380 wrote to memory of 3048	1380	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\RunAsAdmin.exe
"C:\Users\Admin\AppData\Local\Temp\RunAsAdmin.exe"
1⤵
- Checks whether UAC is enabled
- Access Token Manipulation: Create Process with Token
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef66a9758,0x7fef66a9768,0x7fef66a9778
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1132 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:2
  2⤵
  PID:288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:8
  2⤵
  PID:280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1460 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2184 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2204 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1296 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:2
  2⤵
  PID:2116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2020 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3676 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:8
  2⤵
  PID:2564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=3716 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=2096 --field-trial-handle=1220,i,746148281134616774,4965754234586022701,131072 /prefetch:1
  2⤵
  PID:2924

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1208

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
5b70bdf3e7a5fe73c998c44167f48d7a

SHA1
2ddc58b9ad6345819740e2c9018640180536baa3

SHA256
01eba591a4807503345080d7b09c73869113ca479dc6fe9042b28930800473f7

SHA512
7585b6ba1b28a18c0a4bebd979880fe11c7fa22afa7af453dcafa26510575e2d7f1c06efb42ccfbcc2587791d6772412ca64adf6116f094cf978066135f4da2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f432707c3151b49be0544b5e1b174ab4

SHA1
124c017f8f19c77daeeba79dccfe4a6dcee4fc1b

SHA256
d0a4d0a9a2cf411884b9060970bb3309fa32ebcd1e7f80f4632010ddafcc5132

SHA512
b92af8b85e6f46df9499ba40dcb3e61d4ab8b7a0679e5c13675888b12683ece0eb3da27707855652be0e98f0ca8e177d8ea7464bf745cd0132a4db8482f4ec36

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
98fb45efb5cda3420d763ff9dbcb689e

SHA1
ab593f08e480f2efe5512cac269c9ceb1c2592c2

SHA256
521e4b52d77eca2cbc85ae7ccba567dc53df7a78e77369fcfc2fdae6a27b8b88

SHA512
801c38fa0773f86661c5c13c7977d38dce5252567ba3c2bb99894518084ddd367148b2b2ddccb88eb79228142e5e7d0beead8475f039ea3a2eb518210e2498a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
3f99a589421f0a414ca212dea185bd04

SHA1
f24164f5dc15c42bb2a63b50978c3fe2435b45b8

SHA256
c4ff3ecb6a00f962ae1b0c133b516ddae0fc2e7071a74aa8833699a62b8d936e

SHA512
d4b790911490adfebf941cf1dc9fe1116031c4c2ae16d849e0a5d865eadc01d1b793f86d4456cd71db1282a138df9992027a46d33cf5d5772636e687a4fc91a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
ee6837841bb3b4fa2f5fa7aa46aa7416

SHA1
2dddd4b8c50c7b966bc476a3c901d6ded49743a2

SHA256
f86965a56383bcf2ce6887af45aec842e030b0d45d66d9133906bc7c500a58be

SHA512
a1d20bf27e29e8f612f1c7b54d1800164afee9581e5aa51e80d2c6332c22704118ce8d679e4f3ee5112bfa65fcfaf0134077eef701a6d41f084fa023b831750a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
11c624006d7d1b02ac7d9e90179f8f89

SHA1
697a767b3d6e0519ea07cbf11a7d38afd6658374

SHA256
4ec10cb1652b04a8afdc37ab6e15ff48893dcd9684136cc8ba17705a6e5b7e56

SHA512
fd778fa61018355a9f2f9eb990e61245ef18849551bd941560e0e23f201d3fa2b09d5e8380753cf8b2426e7c9202742738848e5d651f21c29c1e6890de93ee81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
14d8420bf4a6a971f361b62eb5312805

SHA1
c7de874847a2f6c156bdb4c29bc1f9e70d92dffd

SHA256
99ec5c562e1fbc1c616a6fd8ea116118d7347c7f693c56925bfe32cf0565f9bc

SHA512
3434b490ecb9c7fca003c580919102bb2e924b86988d17d70801fe1f296c5edbd79a3d515bbfca4959279c9cc44129fe66564c17fc1742ef04bb2cceff2c1016

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b00589ccf2f7ebb0f0e751624dd362ac

SHA1
9449fbac7b87dc3abaf76415c459fa3ecd2f6c56

SHA256
cbe889cf07d749eea504b3d16c2c3b3129a91d85fb0a49113db91bf35f796d7c

SHA512
7318f55748814fe5cfdf3ec5985c282f4c304473a3df69bc383a5461e44e1d1ad0b24da9bc56e99f8b1e22b9a0e20786d651fbf2256f5878a3708482cb0f4bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f515fffb8c47652ff7dc349af3e40364

SHA1
094f95b04aaa865f04dc05e695e0198e43b4bf79

SHA256
3ca0bf98fb0bca2094e27f3fbb036b836683a683b692fc083c4a82e4e282ee7f

SHA512
6ec4ee541121f6b3ceb78536fd1f28fb77de2b4f3239587bd7391a7d6052795c66519c79b8e14cbebe2b3a85bd85e91a8a60ac2852c636d130d6b85064e52418

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a4cf89e5885d3646d320555200f81ab8

SHA1
433d7bfd00394e77d98037777f1396192e348df1

SHA256
9451c92596be26d795b32d87647181cd5ae04f41d3a759e8295993279e12399a

SHA512
c3e3c24f1e12ffddd0de4ec55cd1f58c452d07a0c18cc989b1261d1ada490f52f8e53ba687c98ef701057dec2f2d9d78b9f6e69fcc5f2d66b69565e57baf64f2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
ac054fe037a8c8116f9dbd2b5253ca5e

SHA1
8e66dafd8d3a26c6867a669d3c7439b42c2bbe17

SHA256
4551a4039e528bd3b8a6b93482651c86a2663e2726978a9cf4a6d1d3077cfc5b

SHA512
541d5973f6f343b1ef8b757a7c634b8445d8b09c29e86f7a3d1c085111373f9f5190d7aab1d1703946b67b3ae53c503ddab13e2cdd1fbfd8d91af98617c05ce4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Public\Documents\RunAsAdmin\Logger_2024-11-21.db

Filesize
32KB

MD5
6ed1d10c17a92a085d350d198fc8a69d

SHA1
eed3eb920508f9e2d75ac871c1102ecbb7761690

SHA256
7888ef9d0f681976da80dd47b4018c7edc9d31628c1b7098278b0d0090fe70ed

SHA512
6bf88cc655721f3ec12f442309726343ae628bca05d41ae2e49b63ce925611f4c741a17f1a16fab6937df1ef79009f58677027fb4e38b6615d445e3daff3b7ce

Download Submit
\??\pipe\crashpad_1380_WOVEYJUBMSDPIJYM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/3044-14-0x0000000007840000-0x00000000078B2000-memory.dmp

Filesize
456KB

Download
memory/3044-64-0x00000000056E0000-0x00000000056E8000-memory.dmp

Filesize
32KB

Download
memory/3044-24-0x0000000007190000-0x00000000071AE000-memory.dmp

Filesize
120KB

Download
memory/3044-25-0x0000000007080000-0x0000000007088000-memory.dmp

Filesize
32KB

Download
memory/3044-26-0x0000000008280000-0x00000000082CC000-memory.dmp

Filesize
304KB

Download
memory/3044-27-0x00000000072D0000-0x00000000072F6000-memory.dmp

Filesize
152KB

Download
memory/3044-28-0x00000000071C0000-0x00000000071C8000-memory.dmp

Filesize
32KB

Download
memory/3044-29-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/3044-30-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-31-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3044-32-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-34-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-38-0x0000000000EC0000-0x0000000000ECC000-memory.dmp

Filesize
48KB

Download
memory/3044-17-0x0000000008870000-0x00000000088EA000-memory.dmp

Filesize
488KB

Download
memory/3044-44-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-18-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-16-0x0000000006A00000-0x0000000006A10000-memory.dmp

Filesize
64KB

Download
memory/3044-15-0x0000000007F70000-0x0000000008020000-memory.dmp

Filesize
704KB

Download
memory/3044-12-0x0000000001050000-0x000000000106A000-memory.dmp

Filesize
104KB

Download
memory/3044-13-0x0000000001070000-0x0000000001078000-memory.dmp

Filesize
32KB

Download
memory/3044-0-0x0000000073D1E000-0x0000000073D1F000-memory.dmp

Filesize
4KB

Download
memory/3044-11-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/3044-10-0x0000000000E70000-0x0000000000E7A000-memory.dmp

Filesize
40KB

Download
memory/3044-9-0x0000000000D10000-0x0000000000D1A000-memory.dmp

Filesize
40KB

Download
memory/3044-8-0x0000000000CA0000-0x0000000000CC6000-memory.dmp

Filesize
152KB

Download
memory/3044-6-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3044-7-0x0000000000310000-0x000000000031A000-memory.dmp

Filesize
40KB

Download
memory/3044-5-0x0000000000240000-0x0000000000268000-memory.dmp

Filesize
160KB

Download
memory/3044-4-0x0000000000760000-0x00000000007A6000-memory.dmp

Filesize
280KB

Download
memory/3044-3-0x0000000006A90000-0x0000000006DD8000-memory.dmp

Filesize
3.3MB

Download
memory/3044-2-0x0000000073D10000-0x00000000743FE000-memory.dmp

Filesize
6.9MB

Download
memory/3044-1-0x00000000013E0000-0x0000000001C26000-memory.dmp

Filesize
8.3MB

Download